As shown above, Oracle's patch advisory points out that the current update fixes holes in Java 5.0 Update 41, but the official download page offers you only Java 7 or Java 6.

If you are still using Java 5, it's time to move on.

Apple has copied Oracle, pushing out its updates for those who are still using the Cupertino-issued flavour of Java 6.

A word of warning if you have Apple's Java installed, and you decide to head over to Apple's Downloads page instead of updating via the App Store: when I wrote this (2013-04-17T07:00Z), the Java-related download links were somewhat confusing.

But when I clicked through to the individual download pages (DL1572 and DL1573), I was offered the older 2013-002 and 10.6 Update 14 versions, which would have left me back on Java 6 1.6.0_43.

Be careful: you need 2013-003 or Update 15 to take you to Java 6 1.6.0_45.

What's fixed?

This update is strongly recommended by Oracle, and by Naked Security, because it patched 42 different vulnerabilities.

All but three of these 42 security holes are categorised by Oracle as "network vector remote exploit without authentication."

Each of these means, in theory at least, a drive-by install, where malware is delivered straight into your browser, and starts running on your computer without warning, or even any visible sign.

What's new?

Oracle has tried to improve the way that the Java 7 browser plugin warns you about potentially risky applets (Java programs than run inside your browser), since malicious applets are the main Java-related threat.

Java applets are sucked directly into your browser from external websites as you surf, and criminally-minded applets were behind recent network compromises at Facebook, Apple and others.

As long as the various icons are defined and accompanied by the appropriate textual descriptions, I don't find them particularly confusing, although additional differentiation by colour (e.g., yellow on black, white on red) and symbolic content (say, "!", "!!", "!!!", or "1", "2", "3") would help.

Nevertheless, the statement, "... the security ball remains very much in your court" is the appropriate take. It has long been true that responsible use of a computer tied to the Internet requires enough security awareness to recognize that running Java where it's not needed is just asking for trouble.

But I guess that's the problem, isn't it? "Responsible use" is hardly a given among our fellow humanoids, which is why I'm grateful that NakedSecurity if fighting the good fight, and getting the message out.

Under what circumstances might I need Java? I think I turned it off long ago rather than update. Ought I to update and then turn it off? I've forgotten where to go to turn it off. I'm using Snow Leopard.

The only reason you need Java is to run applications that require it. If you had any, you probably would know it. I've had only one, and that was 10 years ago---a project management software application...and it was a dog. I dumped it and ran Microsoft Project in a virtual machine.

What's more likely is that you might use websites that need the Java plugin to run various applications. For me, there's only one of those sites (a banking site). Usually, a site that needs the Java plugin will display the coffee cup icon or some other message if the plugin is missing or disabled.

As far as I know, there's no easy way to remove Java from a Snow Leopard system. The good news is that it won't hurt anything to leave it there, or to keep it updated. It's only there so you can run Java apps, and if you never run any, you have nothing to worry about.

The Java plugin is a different animal. That's something you can disable in your browser preferences. The method for disabling it varies with each browser. (Google it.) In Safari's Preferences for Snow Leopard, the Security tab should already show that Java is disabled (the box is unchecked) if your software is up to date. If not, go ahead and uncheck the box, and that's all there is to it. (Do NOT uncheck the box for JavaScript. You need to leave that enabled for many websites to work properly.)

I updated oracle java via its system prefs control panel - but apple's "software update" still asks me to download a java update. Should I install it too? Does this mean i have two javas and need to hunt down and get rid of one of them? thanks!

About the author

Paul Ducklin is a passionate security proselytiser. (That's like an evangelist, but more so!) He lives and breathes computer security, and would be happy for you to do so, too.
Paul won the inaugural AusCERT Director's Award for Individual Excellence in Computer Security in 2009.
Follow him on Twitter: @duckblog